net: coap: Verify block number before processing

Verify if the block number isn't negative before processing it, to prevent potentially undefined behavior. This was reported by the undefined behavior sanitizer. Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
2 weeks ago · d720971ae2
1 changed files with 14 additions and 3 deletions
--- a/subsys/net/lib/coap/coap.c
+++ b/subsys/net/lib/coap/coap.c
@ -1471,12 +1471,17 @@ static int update_descriptive_block(struct coap_block_context *ctx,
				@@ -1471,12 +1471,17 @@ static int update_descriptive_block(struct coap_block_context *ctx,
 static int update_control_block1(struct coap_block_context *ctx,
 				 int block, int size)
 {
-	size_t new_current = GET_NUM(block) << (GET_BLOCK_SIZE(block) + 4);
+	size_t new_current;

 	if (block == -ENOENT) {
 		return 0;
 	}

+	if (block < 0) {
+		return -EINVAL;
+	}
+
+	new_current = GET_NUM(block) << (GET_BLOCK_SIZE(block) + 4);
 	if (new_current != ctx->current) {
 		return -EINVAL;
 	}
@ -1497,12 +1502,18 @@ static int update_control_block1(struct coap_block_context *ctx,
				@@ -1497,12 +1502,18 @@ static int update_control_block1(struct coap_block_context *ctx,
 static int update_control_block2(struct coap_block_context *ctx,
 				 int block, int size)
 {
-	size_t new_current = GET_NUM(block) << (GET_BLOCK_SIZE(block) + 4);
+	size_t new_current;

 	if (block == -ENOENT) {
 		return 0;
 	}

+	if (block < 0) {
+		return -EINVAL;
+	}
+
+	new_current = GET_NUM(block) << (GET_BLOCK_SIZE(block) + 4);
+
 	if (GET_MORE(block)) {
 		return -EINVAL;
 	}